On October 26, 2017, GNU Wget announced a buffer overflow vulnerability in the versions earlier than 1.19.2. When a user clicks the special HTTP links through the Wget software with the vulnerability, the user host may get attacked by malicious HTTP response, leading to the DoS attack or malicious code execution. The vulnerability IDs are CVE-2017-13089 and CVE-2017-13090.

See the following for more information about the vulnerability.

CVE identifier

CVE-2017-13089 and CVE-2017-13090

Vulnerability name

Wget stack buffer overflow vulnerability

Vulnerability rating

Middle

Vulnerability description

The vulnerability exists in the src/http.c source code file. In some circumstances where the http.c:skip_short_body() function is called, the chunk parser uses strtol() to read each chunk’s length, but does not check if the chunk length is a non-negative number. When Wget calls the function, the chunk content and length can be fully controlled by attackers. As a result, the stack buffer overflows in the fd_read() function.

This vulnerability can be exploited to start DoS attacks.

Condition and method of exploitation

Command execution may be triggered when a user downloads the HTTP links using Wget.

PoC status

Published

Affected scope

GNU Wget of versions earlier than 1.19.2.

Red Hat Linux

Unaffected: Red Hat Linux 5 and 6

Affected: Red Hat Linux 7

Ubuntu: Ubuntu 12, 14, and 16 are affected. The patch has been released to fix it.

Run the wget -V command to check whether any affected version of Wget is used.

How to fix or mitigate

The vulnerability details and test code are published, and the major operating system vendors have released the patches to fix the vulnerability. To prevent security events, Alibaba Cloud Security recommends that you upgrade your software to the latest version.